Selig
4c966a3ad2
6 custom skills (assign-task, dispatch-webhook, daily-briefing, task-capture, qmd-brain, tts-voice) with technical documentation. Compatible with Claude Code, OpenClaw, Codex CLI, and OpenCode.
1.5 KiB
1.5 KiB
macOS Signing
Overview
The macOS signing process for OpenClaw is automated through build scripts that handle code signing, bundle identification, and metadata injection.
Key Components
Main Script: scripts/package-mac-app.sh orchestrates the packaging and signing workflow, requiring Node 22+ for TypeScript and Control UI builds.
Signing Identity: The process reads the SIGN_IDENTITY environment variable. Developers can configure a persistent signing certificate by exporting this value in their shell configuration.
Core Functionality
The packaging script performs several tasks:
- Establishes a stable debug bundle identifier (
ai.openclaw.mac.debug) - Updates Info.plist with the bundle identifier
- Invokes
codesign-mac-app.shto sign binaries and the app bundle - Implements timestamping for Developer ID signatures (configurable via
CODESIGN_TIMESTAMP) - Injects build metadata (
OpenClawBuildTimestampandOpenClawGitCommit) - Validates Team ID consistency across all Mach-O files
Signing Options
| Option | Configuration |
|---|---|
| Auto-selection | Run script without environment variables |
| Production certificates | SIGN_IDENTITY="Developer ID Application: Name" |
| Ad-hoc signing | ALLOW_ADHOC_SIGNING=1 or SIGN_IDENTITY="-" |
| Offline builds | CODESIGN_TIMESTAMP=off |
Important Caveat
Ad-hoc signatures automatically disable the Hardened Runtime to prevent framework loading failures. This approach compromises TCC permission persistence between rebuilds.